I am a lerker here and occasionally I post (and log in). Today I am posting about GWAPT. I have found several threads here pointing out information about the exam but what I was wondering is if any one here has actually challenged it? I am being tasked with security our web severs and web code and I was thinking about studying for the GWAPT. I already have the web application hackers handbook and I am reviewing the OWASP testing guide. I plan to finish both as soon as possible. I also would like to take the So you want to learn web application hacking course and elearnsecurity before I attempt this (as well as complete C|EH eCPPT and a few others). I was just wondering if 8-9 months would be enough for a total noob to get to this level. Any thoughts?

My background:

I have been somewhat thrown into a infosec position (and I am happy ) I have the certs listed in my signature and I am working on the SSCP as we speak. I would like to work on layer 3-7 security so I'd like GSEC, GCIA, GPEN and GWAPT. My current position is becoming oriented in the direction of those 4 certs but I can't afford them all (even if I did challenge). At best I would be able to do GCIA and GWAPT (which are two I really, really want anyway).

Last edited by knwminus on Wed Dec 01, 2010 11:13 pm, edited 1 time in total.

I think it's do-able from your stand-point. I know you get 120 days in the eLearnSecurity course before you can officially take on the certification attempt, infact they allow you to opt for it after being enrolled in the course for 7 days. This is way more than enough time to go through the entire content. The, "So you want to be a web-app pentester" course from learnsecurityonline looks like it has it's pluses too - very affordable, no certification attempt but looks like it goes very in-depth regarding attack vectors. I would recommend taking one of these courses first before opting for GWAPT but I haven't taken the GWAPT course and don't know how intense it is.

If you have the web application hackers handbook it sounds like you have a great resource already. Public vulnerable web apps out there like damn vulnerable web app and Mutillidae serve to be other great resources - you should have a look at them.

Thanks for the replies and suggestions. I hadn't heard of Mutilldae. I will probably work with DVWA later tonight (and crack my web application hackers handbook). Guess not many folks work with web stuff around here lol